Jasig CAS Client is vulnerable to XML External Entity (XXE) injection. The attacker can trigger the attack by sending malicious XML data because it does not prevent loading malicious XML data via java/org/jasig/cas/util/SamlUtils.java
in Jasig CAS server when Google Accounts Integration is on.